OpenWrt AdGuard Home Quick Setup Experience

Preface#

AdGuard Home is a free and open-source DNS server that blocks ads and tracking across the entire network. When used with plugins in a domestic environment, it can achieve anti-pollution and DNS-level ad blocking. It is recommended to use it with oc. Do not use the redirect mode in CatWrt, and other firmware versions have not been tested. This redirect mode will probably be deprecated in a few days.

This article will be relatively simple and easy to understand, allowing you to quickly get started with AdGuard Home.

Recommended blogs:

Differences#

Starting from v23.8, the execution file path within the plugin is /usr/bin/AdGuardHome/AdGuardHome, while in previous versions it was /usr/bin/AdGuardHome. This caused inconvenience in usage. It's actually just a difference between a folder and a binary file. No authorization or copying to another location is required. Just follow the update instructions in the plugin to use it.

Initialization#

Starting from v23.8, it's normal. Update kernel version, enable Restart when the network is ready after booting, and then Enable. Wait for the application to succeed and click to enter ADG initialization in the background.

Step 1/5: Start configuration

Listening interface: All interfaces
Port: 3000
DNS server: All interfaces
Port: 5335

Step 2/5: Next

Username: Custom
Password: Custom
Confirm password: Custom

Step 3/5: Next

Step 4/5: Next

Step 5/5: Open the dashboard

DNS Settings#

Upstream DNS Servers#

tls://dns.google
tls://dns.opendns.com
tls://<UID>.dns.nextdns.io

It is recommended to register and log in to dns.nextdns.io. The speed is good and the free quota is sufficient for normal use. After registration and login, you will be given your own DNS connection by replacing .

The reason for not using domestic DNS servers here is that they may pollute the entire DNS pool. As the saying goes, it's either all domestic or all foreign. If it's all domestic, there's no need to bother with ADG.

√ Parallel requests

Bootstrap DNS Servers#

119.29.29.99
223.6.6.6

Apply

DNS Service Configuration#

Speed limit: 0

√ Enable EDNS client subnet

√ Enable DNSSEC

Blocking mode: Custom IP

Block IPv4: 127.0.0.1
Block IPv6: ::1

Apply

DNS Cache Configuration#

Cache size: It depends on the size of the machine's memory. I chose 64M here, which is 64000000 bytes. Calculator

Override minimum TTL value: 3600

Override maximum TTL value: 86400

Apply

General Settings#

Log Configuration#

Query log retention time: It depends on the size of the machine's memory. I chose 7 days here. If your storage space is too small and you have too many devices, please shorten the log storage time.

Ignored domains: Generally, it is based on domains with too many requests to reduce storage pressure.

dataflow.biliapi.com
tracking.miui.com

Apply

Statistics Configuration#

Statistics retention: It depends on the size of the machine's memory. I chose 7 days here. It seems that it does not take up much storage space.

DNS Blacklist#

You can choose from several lists provided on the internet or by the official website. Here, I mainly focus on caching acceleration, blocking trackers, and anti-pollution.

You can add a custom list by simply adding a usable link. This avoids the situation where some people cannot connect.

https://cdn.jsdelivr.net/gh/miaoermua/AdguardFilter@main/rule.txt
https://fastly.jsdelivr.net/gh/miaoermua/AdguardFilter@main/rule.txt
https://raw.githubusercontent.com/miaoermua/AdguardFilter/main/rule.txt

You can also choose from the recommended rules provided by the official website, but it is not recommended as there may be false positives. If you need to use them, consider having someone manage network issues.

Encryption Settings#

Here, you need to have a public network (IPv4/v6) and the port should be accessible. The encryption settings here allow you to use your AdGuard Home DNS on the external internet.

√ Enable encryption (HTTPS, DNS-over-HTTPS, DNS-over-TLS)

Server name: Your domain name. Here, you need to set up dynamic domain name resolution (DDNS).

√ Automatically redirect HTTPS

HTTPS port: Custom. This is the port for external access. It should not conflict with the DoH port and H3 port. Avoid using 443!

DNS-over-TLS port and DNS-over-QUIC port should be set to 853.

There's no need to explain the certificate. You can upload your certificate files via SFTP or SCP and enter the absolute directory, or simply copy the certificate content.

The pem file is the public key certificate, and the key file is the private key certificate.

Apply

Then, go to OpenWrt Network - Firewall - Traffic Rules - Open Router Ports to allow the ports you have set, such as the WeiUI listening interface, DNS server port, HTTPS port, and DoQ & DoT ports.

The WeiUI listening interface uses TCP, while the others can use TCP+UDP.

Save and Apply

Linkage#

For the oc-Meta plugin, add the NameServer server address to the override settings. Fill in your own internal network address, and the server port is 5335. The server type is UDP.

Of course, you can use a domain name here, but you need to modify the hosts file of the system and the plugin, otherwise the network will have problems if the IP address changes. I won't demonstrate it here.

You can also set Default-NameServer to 223.6.6.6 TLS.

It is not recommended to enable redirect mode for other plugins, as it may crash. It may work fine if used separately without linking to other plugins.

Want to link with your phone? You can try modifying DNS software, such as Surfboard and c-Meta.

This article is synchronized and updated to xLog by Mix Space.
The original link is https://www.miaoer.xyz/posts/network/openwrt-adg